What happens if two VTP domains happen to create a same name VLAN?

johnifanx98 · February 2012

Say, domain1 has VLANs: vlanA, vlanB, vlanC
domain2 has VLANs: vlanC, vlanD, vlanE

Will hosts connected to switches in domain1 vlanC communicate with hosts connected to switches in domain2 vlanC?

PC509 · February 2012

No. Domain names have to match to share VTP information, IIRC.

networker050184 · February 2012

Do you mean two VLANs with the same name or number? If its the same number than as long as there is a forwarding path between the two hosts its the same VLAN. VTP has no affect on the forwarding of traffic besides pruning.

fsanyee · February 2012

You can't create more vpt domain on one device.

bermovick · February 2012

PC509 wrote: »

No. Domain names have to match to share VTP information, IIRC.

As far as I know, they should. Assuming the vlan# matches (since thats what counts), and the trunk between the 2 switches carries vlan C, it doesn't matter that they don't coordinate their vlans between each other.

4_lom · February 2012

Simply put, no. Because they are not in the same domain. Otherwise, there would be no point for using VTP.

johnifanx98 · February 2012

networker050184 wrote: »

Do you mean two VLANs with the same name or number? If its the same number than as long as there is a forwarding path between the two hosts its the same VLAN. VTP has no affect on the forwarding of traffic besides pruning.

Let me clarify the situation in more detail. A switch in domain1 learned vlanC from the VTP server of domain1, and another switch in domain2 leaned vlanC from VTP server in domain2. As you've mentioned, looks like these two vlanC are as if created without VTP.

If so, will it pose security risks? Say, one VLAN could be merged with another VLAN in another domain which is totally not as designed?

If not, how this is avoided? I assume the VLAN tag only reflects the name of VLAN, not the domain?!

networker050184 · February 2012

johnifanx98 wrote: »

Let me clarify the situation in more detail. A switch in domain1 learned vlanC from the VTP server of domain1, and another switch in domain2 leaned vlanC from VTP server in domain2. As you've mentioned, looks like these two vlanC are as if created without VTP.

If so, will it pose security risks? Say, one VLAN could be merged with another VLAN in another domain which is totally not as designed?

If not, how this is avoided? I assume the VLAN tag only reflects the name of VLAN, not the domain?!

The 802.1Q header does NOT contain the VLAN name. This is something used by humans (and carried in VTP) for ease of use so you don't have to memorize numbers. The name is arbitrary when it comes to a frame being forwarded on the network.

VTP is only used for management of VLANs. Is it a security risk to have two domains in a single network? I'm not sure, but I think its pretty dumb to use VTP at all so I'm probably not the best person to ask for usage information on it.

networker050184 · February 2012

4_lom wrote: »

Simply put, no. Because they are not in the same domain. Otherwise, there would be no point for using VTP.

That is not true. VTP only allows the switch to create the VLANs. It does not influence the forwarding of frames. If a switch receives a frame with an 802.1Q header with VLAN 10 it will forward it regardless of VTP. They are independent functions.

Roguetadhg · February 2012

networker050184 wrote: »

That is not true. VTP only allows the switch to create the VLANs. It does not influence the forwarding of frames. If a switch receives a frame with an 802.1Q header with VLAN 10 it will forward it regardless of VTP. They are independent functions.

If it's Version 2 otherwise Transparent vtp switches had problems forwarding packets if it was not in the same vtp domain/pw.

networker050184 · February 2012

Roguetadhg wrote: »

If it's Version 2 otherwise Transparent vtp switches had problems forwarding packets if it was not in the same vtp domain/pw.

Again, VTP isn't going to influence the forwarding of the frames. You can set any VTP parameter you want, but if the switches both have the VLAN and a forwarding path between them (a trunk or access port) the communication will occur. This is the difference between control and forwarding plane functions.

Forsaken_GA · February 2012

Roguetadhg wrote: »

If it's Version 2 otherwise Transparent vtp switches had problems forwarding packets if it was not in the same vtp domain/pw.

That's not the case being discussed here. In the example, there would be two different VTP domains, so you've got one set of switches in one vtp domain that are in client/server mode, and another set of switches in another vtp domain.

As long as there's a trunk link between the two domains, and the vlans in question are allowed on the trunk, then yes, vlans of the same number would be able to communicate between the different vtp domains. The only time you need VTP transparent is when you want a switch in the transit path within the VTP domain (ie, switch 1 needs to share VTP information with switch 3, but the only way to get there is to go through switch 2 which isn't desired to be participating in VTP, then switch 2 would need to be in transparent mode in order to forward the VTP information on to switch 3).

Now whether the hosts between each side could communicate would depend on whether or not their layer 3 addressing information was consistent or not, but the hosts in the vlan in each domain would at least be capable of seeing the layer 2 frames.

What happens if two VTP domains happen to create a same name VLAN?

Comments